UK data regulator says its own site doesn't fit GDPR

The Information Commissioner's Office (ICO) – the UK's data and communications watchdog has admitted that its own website is not GDPR compliant.

The embarassing admission came after the ICO was asked about its cookie harvesting practices on mobile devices. The question came after a mobile user spotted that, when accessing the ICO website via mobile, it stores cookies on the visitor's device without explicit consent.

Here's what the Office had to say:

"I acknowledge that the current cookies consent notice on our website doesn't meet the required GDPR standard. We are currently in the process of updating this to align our use of cookies to the GDPR standard of consent and we will be making amendments to this information during the week commencing 24 June."

The wider community was furious, while some were surprised at the level of honesty in display here.

Re: UK data regulator says its own site doesn't fit GDPR

I'm not surprised.

I contacted the ICO on their published helpline number for advice on how to implement the 'cookie directive' (PECR) in a compliant manner back in 2011. Their response was an alarming 'we don't offer advice' and a veiled threat that if we go it wrong then they may bring enforcement action. Not exactly what I'd been hoping for. We modelled our approach on that of the BBC and hoped for the best.

Re: UK data regulator says its own site doesn't fit GDPR

I am amazed that a lawsuit has not been filed against the agency but I am glad that is apparently not the mentality in the UK. The idea behind the GDPR was good but implementation is always going to be an ongoing challenge. Regulations should focus on what is really essential in protecting the public, not pursuing Nirvana for the proponents and activists of a community.

Re: UK data regulator says its own site doesn't fit GDPR

Historically, the UK regulator was under staffed, so it was quite possible to get unhelpful answers to queries and from case officers examining complaints. I'll admit we gamed the system, knowing that they were under resourced, to get cases closed when we knew for a fact we had done nothing wrong and the complaints were baseless or just plain vindictive. I struggled to understand why the ICO would take up complaints from individuals alleging data breaches when our organisation neither collected nor processed their data.

Re: UK data regulator says its own site doesn't fit GDPR

It is very instructive that complaints were not vetted such that the complainant had to provide strong evidence for their complaint as indicated by the recent post to this topic. Governments and their regulators need to up their game to be very savvy and great at governance such that the implementation of regulations shows the ability to develop and implement elegant processes that get the job done very effectively and efficiently.

When governments fail to apply the talent and resources to govern and regulate in a superior manner they lose the confidence and respect of the people. My expectation is not pie in the sky, it is what was historically was expected and demanded by the people. To make my point, the phrase "good enough for government work" has come to mean low expectations for the government with a very cynical conotation, HOWEVER, if you go back to the real origin of the phrase it meant the exact opposite. That is, being good enough for government work meant meeting exacting standards. We as a world community that cares about and that needs good governance need to get back to the mentality that expects the absolute best from our respective governments. Refer to this article for the details of what I mention here https://fcw.com/blogs/lectern/2018/01/good-enough-for-government-work-kelman.aspx

Re: UK data regulator says its own site doesn't fit GDPR

Ah, yes, having worked in government and then returned to the private sector it's quite common to get the comment that I must be poorly qualified and not very competent. Whilst there are some people in government roles like that it's not the majority and they've forgotten the recent history of the 2007-2009 recession when a fair number joined government organisations after being laid off by their companies, because they need to pay the bills.

Social Media

All contents of this site constitute the property of (ISC)², Inc. and may not be copied, reproduced or distributed without prior written permission. (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP and CBK are registered certification marks of (ISC)², Inc.